What Is Open Redirect?
An open redirect is a security vulnerability where a website accepts a user-supplied URL as a redirect destination without validation, allowing attackers to redirect visitors to malicious sites while appearing to link to a trusted domain.
Why It Matters
Open redirects are listed in the OWASP Top 10 as a known security vulnerability. They let attackers abuse your domain’s reputation to make phishing links look trustworthy.
The server responds with a 3xx status code and a Location header pointing to whatever URL the attacker supplied. For domain forwarding, this is relevant because it’s the opposite of what a redirect service should do. A properly configured domain forwarding service has fixed destinations — you set where the domain goes, and that’s that. There’s no URL parameter for attackers to manipulate.
How It Works
A vulnerable application accepts a redirect destination from the URL:
https://bank.com/login?redirect=https://evil-phishing-site.comThe server redirects to whatever URL is in the parameter — no validation. Attackers use this to:
- Send phishing emails with links that start with
https://bank.com/... - Victims see the trusted domain and click
- They land on the attacker’s fake login page
- Credentials are stolen
Why Domain Forward Is Not an Open Redirect
Domain Forward forwarding rules are:
- Owner-configured — only the domain owner sets the destination in the dashboard
- Fixed per domain —
old-domain.comalways goes to the same destination - No URL parameters — there’s no
?url=or?redirect=parameter to exploit - Authenticated — changing the destination requires logging into your account
This is fundamentally different from an “open redirect” vulnerability, where any user can control the destination through a URL parameter.
Related Terms
Related Features
Frequently
asked questions
An attacker crafts a URL like https://trusted-site.com/redirect?url=https://evil-site.com. Victims see the trusted domain and click, but end up on the attacker's phishing page. This works because the redirect destination isn't validated.
No. Domain Forward redirects are configured by the domain owner in their dashboard — there's no user-supplied URL parameter that could be exploited. The destination is fixed per forwarding rule.
Look for URLs with parameters like ?url=, ?redirect=, or ?next= that accept arbitrary destinations. Test by changing the parameter to an external domain. If the site redirects there without warning, it's an open redirect.
Still Confused? Try It Free.
Set up your first domain forward in under 5 minutes. Free plan includes 5 domains.